IE8, Safari 4, Firefox 3, iPhone fall on day 1 of Pwn2Own

Day one of the pwn2own security contest has seen successful attacks on the …

The first day of the annual Pwn2Own contest in which security researchers can win cash and hardware if they successfully compromise machines using zero-day exploits is finished. Internet Explorer 8 on Windows 7, Firefox 3 on Windows 7, Safari 4 on Mac OS X 10.6, and iPhone OS 3 were all compromised during the competition. Google's Chrome was the only browser left standing—and in fact, was completely untested. None of the researchers at the competition even tried to attack Chrome.

So far, little is known about the successful exploits. Until vendors have been informed of the flaws and those flaws have been patched, details will not be made public.

The iPhone was not successfully hacked in 2009's competition, but was predicted to fall this year, and those predictions have come true. A zero-day Safari flaw was used to gain access to text messages stored on the device by Vincenzo Iozzo from German security firm Zynamics and Ralf-Philipp Weinmann, a post-doctoral researcher at the University of Luxembourg. Notable in the exploit was that it bypassed both iPhone's Data Execution Protection as well as its requirements that all code be signed.

A little more is known about the IE8 exploit, including an (abridged) video of the browser being taken down. The successful researcher, Peter Vreugdenhil, has published a rough outline of the techniques used to bypass IE8's DEP and ASLR protections.

The Safari hack came from Charlie Miller; this makes three years in a row now that Miller has pwned—and hence owned—a Mac at pwn2own. Thus far, nothing further about either this exploit or the Firefox one appears to have been published.

Neither the iPhone exploit nor the IE8 exploit managed to escape the OS-supplied sandboxes that protect these platforms. Without escaping the sandboxes, the impact that flaws can have is reduced, preventing, for example, writing to hard disk (and hence, preventing installation of malware). Nonetheless, read-only access is still valuable for data theft.

It is this sandboxing that might explain why Google's Chrome was untouched; no researcher even attempted to attack it. It is certainly not the case that Chrome has no security flaws—a couple of days before the Pwn2Own draw was made to decide who got to attack which machine and in what order, Google published an update to Chrome that fixed a range of security flaws, some of which were deemed to be high-risk. Google's sandboxing shouldn't be impenetrable, but it is sufficient to make the standard harmless exploit payload—starting up Windows calculator—harder to do.